The purpose of this lab is to familiarize the Student with the new SaaS Federation iApp. Students will use the iApp to create a federation relationship with a commonly used SaaS provider. This lab will leverage the work performed previously in Lab 3. Archive files are available for the completed Lab 3.
Objective:
Lab Requirements:
Estimated completion time: 25 minutes
Navigate to Access ‑> Federation ‑> SAML Identity Provider ‑> External SP Connectors
Click specifically on the Down Arrow next to the Create button (far right)
Select From Metadata from the drop down menu
In the Create New SAML Service Provider dialogue box, click Browse
and select the SAMLSP-00D36000000jjkp.xml
file from the Desktop of your
jump host
In the Service Provider Name field, enter: salesforce
Click OK on the dialog box
Navigate to iApps ‑> Application Services -> Applications and click on the Plus (+) Sign as shown
In the resulting New Application Service window, enter saas as the Name
Select f5.saas_idp.v1.0.rc1
from the Template drop down menu
Note
The iApp template has already been downloaded and imported for this lab. You can download the latest iApp templates from https://downloads.f5.com/
Configure the iApp template as follows:
SaaS Applications | |
---|---|
Application: | New federation relationship with salesforce.com |
SP: | salesforce |
Display Name: | SalesForce |
SP Initiated: | No |
BIG-IP APM Configuration | |
---|---|
What EntityID do you want to use for your SaaS applications? | https://idp.f5demo.com/idp/f5/ |
Should the iApp create a new AAA server or use an existing one? | f5demo_ad |
BIG-IP Virtual Server | |
---|---|
What is the IP address clients will use to access the BIG-IP IdP Service? | 10.1.10.120 |
What port do you want to use for the virtual server? | 443 |
Which certificate do you want this BIG-IP system to use for client authentication? | idp.f5demo.com.crt |
What is the associated private key? | idp.f5demo.com.key |
Note
We are deploying the iApp on a different IP so that you can see
how everything is built out; however, this IdP will not work, as the
idp.f5demo.com
FQDN resolves to another IP.
We are going to use the iApp to create the SAML resource that we will
assign to our existing access policy from Lab 3.
IdP Encryption Certificate and Key | |
---|---|
Which certificate do you want to use to encrypt your SAML Assertion? | SAML.crt |
What is the associated private key? | SAML.key |
Scroll to the bottom of the configuration template and click Finished
Once deployed, you can review the built out SaaS Federation iApp at iApps ‑> Application Services ‑> Applications ‑> saas
Review the new virtual servers created by the iApp at Local Traffic ‑> Virtual Server ‑> Virtual Server List
Review the new Access Policy built by the iApp at Access ‑> Profiles/Policies ‑> Access Profiles (Per-Session Policies) and select the Edit link next to the saas Access Policy
Test the SaaS iApp by clicking on the bookmark in your browser.
Note
Navigating to the virtual server by IP will produce a certificate warning. This is expected. Click through the warning to see the resulting page.
The previous task, Task 2, was to provide you an understanding of how the SaaS Federation iApp can automatically build a configuration for you.
In this task we will be modifying the existing Webtop from prior labs to add the SaaS SalesForce application. The purpose of the task is so you can see the F5Demo App and SalesForce in the same Webtop.
Using the same Access Policy from Lab 3, navigate to Access ‑>
Profiles/Policies ‑> Access Profiles (Per-Session Policies) and
click the Edit link next to the previously created
idp.f5demo.com-policy
In the Visual Policy Editor window for /Common/idp.f5demo.com‑policy
,
click the Advanced Resource Assign object.
Click the Add/Delete link on the Resource Assignment item
Click the SAML tab, and select the checkbox next to
/Common/saas.app/saas_SalesForce_saml_resource_sso
Click the Update button at the bottom of the window to complete the Resource Assignment entry
Click the Save button at the bottom of the Advanced Resource Assign window
Repeat steps 2 - 6 with the Advanced Resource Assign (1) object
In the Visual Policy Editor, click Apply Access Policy (top left), and close the Visual Policy Editor
Using your browser from the jump host, navigate to the SAML IdP previously
configured at https://idp.f5demo.com
(or click the provided bookmark)
Were you prompted for credentials? Were you successfully authenticated? Did you see the webtop with the new SaaS SP application?
Click on the SalesForce icon. Were you successfully authenticated (via SAML) to the SP?
Review your Active Sessions (Access ‑> Overview ‑> Active Sessions)
Review your Access Report Logs (Access ‑> Overview ‑> Access Reports)